From b0e9a0ce22c805d0db93dcb93817bbc7e9f90345 Mon Sep 17 00:00:00 2001 From: teastep Date: Wed, 22 Oct 2008 02:14:45 +0000 Subject: [PATCH] Take advantage of --ctorigdstport git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8795 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall-common/changelog.txt | 2 ++ Shorewall-common/lib.base | 4 ++-- Shorewall-common/releasenotes.txt | 12 +++++++++++- Shorewall-perl/Shorewall/Accounting.pm | 3 +++ Shorewall-perl/Shorewall/Actions.pm | 1 + Shorewall-perl/Shorewall/Chains.pm | 15 ++++++++++++++- Shorewall-perl/Shorewall/Config.pm | 4 ++-- Shorewall-perl/Shorewall/Nat.pm | 1 + Shorewall-perl/Shorewall/Rules.pm | 7 +++++++ Shorewall-perl/Shorewall/Tc.pm | 1 + 10 files changed, 44 insertions(+), 6 deletions(-) diff --git a/Shorewall-common/changelog.txt b/Shorewall-common/changelog.txt index 9a1eda822..52ed6f665 100644 --- a/Shorewall-common/changelog.txt +++ b/Shorewall-common/changelog.txt @@ -12,4 +12,6 @@ Changes in Shorewall 4.2.1 6) Applied Lennart Sorensen's patch for length match. +7) Take advantage --ctorigdstport + Initial release of Shorewall 4.2.0. diff --git a/Shorewall-common/lib.base b/Shorewall-common/lib.base index 7f5cef0c4..086185727 100644 --- a/Shorewall-common/lib.base +++ b/Shorewall-common/lib.base @@ -1104,7 +1104,7 @@ determine_capabilities() { qt $IPTABLES -A $chain -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes if [ -n "$CONNTRACK_MATCH" ]; then - qt $IPTABLES -A $chain -m conntrack ! --ctorigdst 192.168.1.1 -j ACCEPT && NEW_CONNTRACK_MATCH=Yes + qt $IPTABLES -A $chain -m conntrack -p tcp --ctorigdstport 22 -j ACCEPT && NEW_CONNTRACK_MATCH=Yes fi if qt $IPTABLES -A $chain -p tcp -m multiport --dports 21,22 -j ACCEPT; then @@ -1211,7 +1211,7 @@ report_capabilities() { report_capability "Multi-port Match" $MULTIPORT [ -n "$MULTIPORT" ] && report_capability "Extended Multi-port Match" $XMULTIPORT report_capability "Connection Tracking Match" $CONNTRACK_MATCH - report_capability "New Connection Tracking Match Syntax" $NEW_CONNTRACK_MATCH + report_capability "Extended Connection Tracking Match Support" $NEW_CONNTRACK_MATCH report_capability "Packet Type Match" $USEPKTTYPE report_capability "Policy Match" $POLICY_MATCH report_capability "Physdev Match" $PHYSDEV_MATCH diff --git a/Shorewall-common/releasenotes.txt b/Shorewall-common/releasenotes.txt index 1b114df49..85a7bb9b4 100644 --- a/Shorewall-common/releasenotes.txt +++ b/Shorewall-common/releasenotes.txt @@ -90,7 +90,7 @@ Problems corrected in Shorewall 4.2.1 3) iptables 1.4.1 discontinued support of syntax generated by shorewall in some cases. Shorewall now detects when the new syntax - is accepted and uses it instead. + is required and uses it instead. 4) The Shorewall-perl implementation of the LENGTH column in /etc/shorewall/tcrules was incomplete with the result that @@ -170,6 +170,16 @@ Other changes in Shorewall 4.2.1 Beginning November 1, 2008 at noon LCT. +3) If your kernel and iptables support "-m conntrack --ctorigdstport" + then Shorewall will utilize that capability to ensure that when you + do port mapping (change the destination port but not the + destination IP address), the final destination port is not open. + + To use this feature, you must be running Shorewall-perl and the + output of 'shorewall show capabilities' must show: + + Extended Connection Tracking Match Support: Available + New Features in Shorewall 4.2. 1) Shorewall 4.2 contains support for multiple Internet providers diff --git a/Shorewall-perl/Shorewall/Accounting.pm b/Shorewall-perl/Shorewall/Accounting.pm index f43016f12..9a845568c 100644 --- a/Shorewall-perl/Shorewall/Accounting.pm +++ b/Shorewall-perl/Shorewall/Accounting.pm @@ -131,6 +131,7 @@ sub process_accounting_rule( $$$$$$$$$ ) { $source , $dest = ALLIPv4 , '' , + '' , $target , '' , $disposition , @@ -151,6 +152,7 @@ sub process_accounting_rule( $$$$$$$$$ ) { $source , $dest , '' , + '' , $target , '' , $disposition , @@ -167,6 +169,7 @@ sub process_accounting_rule( $$$$$$$$$ ) { '' , '' , '' , + '' , '' ; } } diff --git a/Shorewall-perl/Shorewall/Actions.pm b/Shorewall-perl/Shorewall/Actions.pm index 579468896..a06476a91 100644 --- a/Shorewall-perl/Shorewall/Actions.pm +++ b/Shorewall-perl/Shorewall/Actions.pm @@ -568,6 +568,7 @@ sub process_action( $$$$$$$$$$ ) { $source , $dest , '', #Original Dest + '', #Original Dest port "-j $action" , $level , $action , diff --git a/Shorewall-perl/Shorewall/Chains.pm b/Shorewall-perl/Shorewall/Chains.pm index 2b2ff4680..aa2df052e 100644 --- a/Shorewall-perl/Shorewall/Chains.pm +++ b/Shorewall-perl/Shorewall/Chains.pm @@ -1859,7 +1859,7 @@ sub get_interface_mac( $$$ ) { # # Returns the destination interface specified in the rule, if any. # -sub expand_rule( $$$$$$$$$$ ) +sub expand_rule( $$$$$$$$$$$ ) { my ($chainref , # Chain $restriction, # Determines what to do with interface names in the SOURCE or DEST @@ -1867,6 +1867,7 @@ sub expand_rule( $$$$$$$$$$ ) $source, # SOURCE $dest, # DEST $origdest, # ORIGINAL DEST + $oport, # original destination port $target, # Target ('-j' part of the rule) $loglevel , # Log level (and tag) $disposition, # Primative part of the target (RETURN, ACCEPT, ...) @@ -2043,6 +2044,9 @@ sub expand_rule( $$$$$$$$$$ ) if ( $origdest ) { if ( $origdest eq '-' || ! $capabilities{CONNTRACK_MATCH} ) { $origdest = ''; + if ( $capabilities{NEW_CONNTRACK_MATCH} && defined $oport && $oport ne '' ) { + $rule .= "-m conntrack --ctorigdstport $oport "; + } } elsif ( $origdest =~ /^detect:(.*)$/ ) { # # Either the filter part of a DNAT rule or 'detect' was given in the ORIG DEST column @@ -2063,6 +2067,7 @@ sub expand_rule( $$$$$$$$$$ ) push_command( $chainref , 'if [ $address != 0.0.0.0 ]; then' , 'fi' ) if $optional; $rule .= '-m conntrack --ctorigdst $address '; + $rule .= "--origdstport $oport " if $capabilities{NEW_CONNTRACK_MATCH} && $oport; } else { my $interface = $interfaces[0]; my $variable = get_interface_address( $interface ); @@ -2070,6 +2075,7 @@ sub expand_rule( $$$$$$$$$$ ) push_command( $chainref , "if [ $variable != 0.0.0.0 ]; then" , 'fi' ) if interface_is_optional( $interface ); $rule .= "-m conntrack --ctorigdst $variable "; + $rule .= "--origdstport $oport " if $capabilities{NEW_CONNTRACK_MATCH} && $oport; } $origdest = ''; @@ -2094,9 +2100,16 @@ sub expand_rule( $$$$$$$$$$ ) $oexcl = ''; } } + + if ( $capabilities{NEW_CONNTRACK_MATCH} && defined $oport && $oport ne '' ) { + $rule .= "-m conntrack --ctorigdstport $oport "; + } } } else { $oexcl = ''; + if ( $capabilities{NEW_CONNTRACK_MATCH} && defined $oport && $oport ne '' ) { + $rule .= "-m conntrack --ctorigdstport $oport "; + } } # diff --git a/Shorewall-perl/Shorewall/Config.pm b/Shorewall-perl/Shorewall/Config.pm index 213b1caae..be3b8cfe1 100644 --- a/Shorewall-perl/Shorewall/Config.pm +++ b/Shorewall-perl/Shorewall/Config.pm @@ -178,7 +178,7 @@ our %capdesc = ( NAT_ENABLED => 'NAT', XMULTIPORT => 'Extended Multi-port Match', CONNTRACK_MATCH => 'Connection Tracking Match', NEW_CONNTRACK_MATCH => - 'New Connection Tracking Match syntax', + 'Extended Connection Tracking Match', USEPKTTYPE => 'Packet Type Match', POLICY_MATCH => 'Policy Match', PHYSDEV_MATCH => 'Physdev Match', @@ -1558,7 +1558,7 @@ sub determine_capabilities( $ ) { $capabilities{CONNTRACK_MATCH} = qt1( "$iptables -A $sillyname -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT" ); if ( $capabilities{CONNTRACL_MATCH} ) { - $capabilities{NEW_CONNTRACK_MATCH} = qt1( "$iptables -A $sillyname -m conntrack ! --ctorigdst 192.168.1.1 -j ACCEPT" ); + $capabilities{NEW_CONNTRACK_MATCH} = qt1( "$iptables -A $sillyname -m conntrack -p tcp --ctorigdstport 22 -j ACCEPT" ); } if ( qt1( "$iptables -A $sillyname -p tcp -m multiport --dports 21,22 -j ACCEPT" ) ) { diff --git a/Shorewall-perl/Shorewall/Nat.pm b/Shorewall-perl/Shorewall/Nat.pm index 58a74285b..c5f27c3cd 100644 --- a/Shorewall-perl/Shorewall/Nat.pm +++ b/Shorewall-perl/Shorewall/Nat.pm @@ -278,6 +278,7 @@ sub setup_one_masq($$$$$$$) $networks , $destnets , '' , + '' , $target , '' , '' , diff --git a/Shorewall-perl/Shorewall/Rules.pm b/Shorewall-perl/Shorewall/Rules.pm index a58d0836c..0b5622a65 100644 --- a/Shorewall-perl/Shorewall/Rules.pm +++ b/Shorewall-perl/Shorewall/Rules.pm @@ -143,6 +143,7 @@ sub process_tos() { $src , $dst , '' , + '' , "-j TOS --set-tos $tos" , '' , '' , @@ -316,6 +317,7 @@ sub setup_blacklist() { $networks , '' , '' , + '' , "-j $target" , '' , $disposition , @@ -1024,6 +1026,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) { my $destzone; my $sourceref; my $destref; + my $origdstports; if ( $source =~ /^(.+?):(.*)/ ) { fatal_error "Missing SOURCE Qualifier ($source)" if $2 eq ''; @@ -1135,6 +1138,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) { # $server = $1; # May be empty $serverport = $3; # Not Empty due to RE + $origdstports = $ports; if ( $serverport =~ /^(\d+)-(\d+)$/ ) { # # Server Port Range @@ -1227,6 +1231,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) { $source , $origdest , '' , + '' , $target , $loglevel , $action , @@ -1264,6 +1269,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) { $source , $dest , $origdest , + '', '-j RETURN ' , $loglevel , $action , @@ -1292,6 +1298,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) { $source , $dest , $origdest , + $origdstports , "-j $action " , $loglevel , $action , diff --git a/Shorewall-perl/Shorewall/Tc.pm b/Shorewall-perl/Shorewall/Tc.pm index 12e5367e1..5c6ced6dd 100644 --- a/Shorewall-perl/Shorewall/Tc.pm +++ b/Shorewall-perl/Shorewall/Tc.pm @@ -294,6 +294,7 @@ sub process_tc_rule( $$$$$$$$$$$$ ) { $source , $dest , '' , + '' , "-j $target $mark" , '' , '' ,